Krebs on Security

In-depth security news and investigation

Feds: Hackers Ran Concert Ticket Racket

A Russian man detained in Spain is facing extradition to the United States on charges of running an international cyber crime ring that allegedly stole more than $10 million in electronic tickets from e-tickets vendor StubHub.

Vadim Polyakov, 30, was detained while vacationing in Spain. Polyakov is wanted on conspiracy charges to be unsealed today in New York, where investigators with the Manhattan District Attorney’s office and the U.S. Secret Service are expected to announce coordinated raids of at least 20 people in the United States, Canada and the United Kingdom accused of running an elaborate scam to resell stolen e-tickets and launder the profits.

Sources familiar with the matter describe Polyakov, from St. Petersburg, Russia, as the ringleader of the gang, which allegedly used thousands of compromised StubHub user accounts to purchase huge volumes of electronic, downloadable tickets that were fed to a global network of resellers.

Robert Capps, senior director of customer success for RedSeal Networks and formerly head of StubHub’s global trust and safety organization, said the fraud against StubHub — which is owned by eBay — largely was perpetrated with usernames and passwords stolen from legitimate StubHub customers. Capps noted that while banks have long been the target of online account takeovers, many online retailers are unprepared for the wave of fraud that account takeovers can bring.

“In the last year online retailers have come under significant attack by cyber criminals using techniques such as account takeover to commit fraud,” Capps said. “Unfortunately, the transactional risk systems employed by most online retailers are not tuned to detect and defend against malicious use of existing customer accounts. Retooling these systems to detect account takeovers can take some time, leaving retailers exposed to significant financial losses in the intervening time.”

Polyakov is the latest in a recent series of accused Russian hackers detained while traveling abroad and currently facing extradition to the United States. Dmitry Belorossov, a Russian citizen wanted in connection with a federal investigation into a cyberheist gang that leveraged the Gozi Trojan, also is facing extradition to the United States from Spain. He was arrested in Spain in August 2013 while attempting to board a flight back to Russia.

Last month, federal authorities announced they had arrested Russian citizen Roman Seleznev as he was vacationing in the Maldives. Seleznev, the son of a prominent Russian lawyer, is currently being held in Guam and is awaiting extradition to the United States.

Arkady Bukh, a New York criminal lawyer who frequently represents Russian and Eastern European hackers who wind up extradited to the United States, said the Polyakov case will be interesting to watch because his extradition is being handled by New York authorities, not the U.S. government.

“I’m not saying they won’t get some help from the feds, but extradition by state prosecutors is often a failure,” Bukh said. “In fact, I don’t remember the last time we saw a successful extradition of cybercrime suspects by U.S. state prosecutors. You have to have a lot of political juice to pull off that kind of thing, and normally state prosecutors don’t have that kind of juice.”

Nevertheless, Bukh said, U.S. authorities have made it crystal clear that there are few countries outside of Russia and Ukraine which can be considered safe havens for wanted cybercriminals.

“The U.S. government has delivered the message that these guys can get arrested anywhere, that there are very few places they can go and go safely,” Bukh said.

This entry was posted on Wednesday, July 23rd, 2014 at 11:42 am and is filed under Ne'er-Do-Well News.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

I heard this story on NPR this morning, but of course without the insights Krebs provides. Makes me wonder if those on the front end of things will EVER really have any possibility to get ahead of the hacking side. So many avenues to pursue in cyber fraud, from the faux tax returns to evolutions in skimmers and selling venues like the one reported here. I wonder how companies are accounting and balancing these days for the losses that must be anticipated due to cyber-shrinkage. We are foolish to think that we average folks aren’t seeing prices padded to account for it.

Well it seems to me that losses due to fraud are a very small fraction of these large operations total profits and I hope you are not naive enough to believe that there’s a direct relationship between prices to the consumer and operating costs …

Its hard to read anything when you spend all your time gazing at your own navel.

Arrogance is trade and parcel for these folks. It’s why they don’t cover their tracks (because Russian language sites will prevent anyone who’s not Russian from finding them, duh), and why they travel with impunity.

” Vadim Polyakov, 30, was detained while vacationing in Spain. ” The hackers can now stay safe from arrest in mother Russia and enjoy warm weather by going to Sevastopol, the Miami of Russia, also stolen property.

Brian, Seleznev is the son of a prominent Russian lawmaker (in reality a mockery of a PM, a puppet of Putin’s administration, just like most of the russian parliament, but it’s a different story), not a lawyer

Maybe in some cities it was cost-prohibitive, but where I live there were empty seats at the Pearl Jam show. Perhaps it was because the show was on a Tuesday night, but I got my ticket off Craigslist for something like $20-25.

This makes me wonder if it is safe for Americans to vacation in other countries. After all some foreign country or state within a foreign country could charge someone with a crime and the person might not even be aware that they are being pursued.

Actually, there is such a thing as extradition from one state (or, in this case, territory) to another within the United States. However, this is a matter of federal and constitutional law as opposed to negotiated treaty.

I wouldn’t go visiting a Russian puppet state, but the Russian government has spent most of the past decade burning bridges with the first world they’re unlikely to be able to extradite someone on fake charges.

The first world state will demand to see the requisite documentation and authentication, and they’re pretty good at spotting falsified documentation (even Dubya couldn’t do it).

Mark,
That (saving on service fees) might be possible in a small, non-corporate venue, but going to a place like Madison Square Garden here in NYC you’d probably still have to pay the vig for the ticket, since the contracts still specify it no matter the purchase point.

Unfortunately, the most popular tickets in big cities are sold out electronically within minutes. Even if you were to wait at the box office on the first day of sale, near the head of the line, the best seats will already be sold out by the time you’re called to the window.

In NY, where StubHub does a large part of its business, the problem is compounded by ticket brokers. Ticket brokers (not scalpers) are legal in New York and because they make reliably large purchases to the popular events, many venues set aside blocks of tickets for them. Then the brokers (often using StubHub and similar services) turn around and resell the tickets with markups and fees.

Even where ticket brokers are illegal, there will always be groups buying up batches and scalping them online.

If you’re not lucky enough to get GOOD tickets for a popular event in a big city at a box office, you’ll be overpaying one way or another. 🙁

While I despise the malware crooks, stubhub is nothing but a scapler site. They are one of the main reasons the average person spends a fortune to see a concert or a play, or a sporting event. I feel bad for the people that may have been robbed, but not for stubhub, I hope it goes out of business.

Eh, everyone makes mistakes, I don’t think they’re really bitching about his grammar just pointing them out. Brian can delete responses, if he really didn’t like seeing them they’d be gone.

Personally before I send anything professional I try to get someone else to proofread what I wrote, to spot these kinds of things. With only one set of eyes it’s very easy to overlook grammatical mistakes. Thankfully in the digital age we don’t have to worry about spelling errors (well, so long as you take advantage of dictionary-based spell correctors), but grammar is still tricky.

Microsoft Word really makes me laugh sometimes, it’ll flag a sentence as needing to be reworded, suggest a different sentence, then flag the suggested sentence as needing to be reworded…